I have two contracters who need access to our SQL LOB application. They will be connecting via VPN to a router that authenitcates via RADIUS on the DC. Now, the two servers in question are DCs. The users created are members of on Security Group - VPN Users. The only security rights attached to this group is dialin access.

On paper, this should be a straightforward. The fly in the ointment is that maybe 75% of the share permissions on these servers include Full Access for Authenticated Users. Don't ask why and no there's no chance to correct this at the moment.

SQL lives on DC2 but the ODBC settings on the client software negate any need for domain authentication. So, all I need is to stop these VPN users from browsing the network for shares and accessing them.

I have tried setting "Deny access from network" in the DC Security Policy but this seemingly hasn't helped.

For info: Both servers are W2003 SP2 Standard. The clients will be using XP/Vista.

Assuming that yo're referring to file\folder (NTFS) permissions: explicit permissions take precedence over inherited permissions, so an explicit Allow permission would take precedence over an inherited Deny permission.
–
joeqwertyJan 27 '10 at 0:44

Thanks everyone. The only method I was eble to employ was to issue Deny rights on all shares for this user. A bit of a pain, but there was no time to re-invent the wheel so to speak!
–
NordbergJan 29 '10 at 10:42

Any chance to terminate the VPN in a DMZ instead on the LAN? If so, then you could punch a hole through the DMZ -> LAN on port 1433 to your SQL server.

If it was me, I wouldn't want anyone whose computer is not maintained by my company on my company's network. Thus the reason for putting them in their own DMZ. What if they get a virus, or are part of a spambot network and start sending out spam across the VPN tunnel out your Internet connection. There are a lot of scary scenarios for a paranoid person. :-)